Cryakl Ransomware

Cryakl Ransomware is a new Russian malware that can encrypt most of your files after it sneaks onto your system. If you do not have a recent backup copy of your personal files on an external drive, it is possible that you will lose all your photos, videos, documents, archives, and many more in this dangerous attack. Right now the only possibility for you to get the private key that is vital to decrypt your files is to pay the ransom fee these crooks demand. However, even this you cannot take for granted. What if these criminals do not send you this key after you pay? What if technical issues come up and it actually becomes impossible for you to get this decryption key? So before you make your decision, there are some questions you need to find your answers to, but mainly this: “Are your files worth paying the fee?” Whether you pay or not, in the end, there is only one solution if you want to use a secure computer: You need to remove Cryakl Ransomware. Of course, if you want to have a shot at decrypting your files, you should only delete this infection after you have got the key and used it, too.

Like most ransomware infections, Cryakl Ransomware also travels the web in spam e-mails. An executable malicious file is attached to these mails and this is how this malware is distributed. Of course, it is hard to tell that this is a ransomware executable since it will pose as an image or document file of a fake invoice or any other document you would feel urged to open. Our research shows that in this case, for example, you can get an email that claims to include an invoice that contains information about an allegedly declined payment. The subject of such a mail may only have a made-up invoice number, e.g., “Re: Invoice #53443221/2016FDGRE” but it can really be anything that would make you open it. The most common topics these spam mails come up with are related to credit cards, reservations (hotel, flight), parcel delivery issues, invoice problems, and so on. These mails can bypass your spam filter and land in your inbox. Therefore, you need to be more cautious every time you check your mails because you can never know when such a spam shows up. When in doubt, you should always double-check with the sender that the mail was really meant for you, let alone its attachment.

Most of the time this infection is initiated after you download the attached “document” and click to run it. While you may think that you are about to see an unpaid invoice or problematic hotel reservation, a fake document may come up but, at the same time, Cryakl Ransomware can start up and encrypt all your files. By the time you realize what just happened, it could be too late to delete Cryakl Ransomware to save your files. Of course, this is what you should do anyway if you find this vicious threat on your computer.

This ransomware targets practically all kinds of extensions and not only on all your available drives connected to your PC but also, all mapped network drives as well as your cloud storage place. Cryakl Ransomware uses a very strong hybrid AES-RSA encryption with a large key and this makes it practically impossible to decode it even with brute force cracking (trial and error method). Of course, it is still possible that a free tool will hit the web that might help you recover your files but it may take some time.

All your encrypted files get a “facelift,” i.e., a new name that may look like “email-iizomer@aol.com.ver-CL 1.0.0.0.u.id-KKLMMNNOOPQQQRRSTTUUVVVWXXYYZZZABBCD-8@4@2016 1@44@46 PM7040822@@@@@B450-0913.randomname-ZABBCDEFFGHIJKKLMNOOPQRSTTTUVW.XYZ” where the e-mail address at the beginning of the string can also be “ninja.gaiver@aol.com” and the file name can end with a “.cbf” extension depending on the version you download. When the encryption is over, your desktop wallpaper changes to display the ransom note. This is a very simple note in Russian that tells you to contact the authors via e-mail (iizomer@aol.com) within a week and send one encrypted file or else you will lose all your files. Crooks sometimes offer victims to decrypt one of their files in an attempt to prove that they indeed have the private key so that they are capable of recovering all the files. But this rarely happens unfortunately; the full decryption that is. This ransomware creates a Run registry entry to start up automatically with Windows whenever you restart your computer. This way it can make sure that you cannot escape its trap and you will be forced to pay the ransom fee, which is generally from 100 to 500 USD paid in Bitcoins. We believe that you should delete Cryakl Ransomware the moment you realize its presence even if it were too late to save your files. But, of course, this is your decision and your files. If you want to risk losing your money by paying these criminals, do not remove Cryakl Ransomware just yet.

If you are ready to act and fight back, we have prepared instructions for you to follow if you do not mind manual removal. In fact, it is not that difficult to eliminate this threat and you do not even need to restart your system in Safe Mode to do so. It is possible that you want a more reliable and effective way to delete Cryakl Ransomware and to protect your computer from any further malware attacks. Therefore, we suggest that you install a reputable anti-malware program and keep it updated regularly for best results. Only when your system is secure again do we recommend that you start copying your backed up files back onto your machine or try to find a recovery tool on the web. Although, this latter option we would only suggest for advanced users. If you are inexperienced, maybe you should ask a friend or an IT expert to help you with the recovery part.

How to remove Cryakl Ransomware from Windows

Press Win+Q and enter regedit. Press the Enter key.

Locate and delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pr” value name whose value data is “C:\Program Files (x86)\service.exe” (the .exe file name can be random).

Close the editor.

Press Win+E.

Delete “service.exe” (or any random-name file you found in the Run registry value data) from these folders:
%TEMP%
%PROGRAMFILES%
%PROGRAMFILES(x86)% (64-bit)